On Fri, 2008-10-24 at 13:45 +0100, sebb wrote: > On 24/10/2008, Lovette, Steve <[EMAIL PROTECTED]> wrote: > > Sebbaz > > From what I have read the use of algorithms that have been shown to be > > breakable become unacceptable. There is literature on the web about > > this. From reading the government NIST web site and the government STIGs > > that recommend only the SHA-x algorithms to be used in sensitive > > applications. MD5 is not a government approved algorithm to be used in > > hashing functions where encryption is involved. > > OK, but so what? > > > That said your point about HTTP client may well be the best counter > > point. Since HTTP client runs on the client and the client is always > > suspect then perhaps this is a sufficient argument. > > I think you still misunderstand what HC is for. > > It is irrelevant where HC runs; the point is that it is a client > library, i.e. it talks to servers. > > If the server needs MD5 for something, then HC will use that. > HC does not use MD5 for its own purposes. >
Sebastian, et al I took a brief look at the DIGEST authentication scheme implementation in HttpClient 4.0 and it appears HttpClient will reject a challenge unless the specified digest algorithm is either MD5 or MD5-sess. As far as I can tell these are two algorithms mentioned in RFC 2617. There is no mentioning of SHA-x algorithms in the spec. However, it would certainly make sense to ensure HttpClient can support alternative digests, if the server requests an algorithm other than MD5 or MD5-sess. Steve, If you think the present implementation of DIGEST authentication is not secure enough, feel free to open a JIRA for this issue https://issues.apache.org/jira/browse/HTTPCLIENT Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
